Google Git
Sign in
chromium / chromium / src.git / 193d8ad34333979c0551d22e06800d8f55a5edde^! / . / chrome / browser / net / chrome_network_delegate.cc
commit193d8ad34333979c0551d22e06800d8f55a5edde[log] [tgz]
authorigorcov <[email protected]>Fri May 27 11:03:21 2016
committerCommit bot <[email protected]>Fri May 27 11:04:47 2016
tree3bbcf735612b330d15f2f76b72c3d25f03c7e83e
parente7094a6c52fd5bf3c373596197600e1eeafc7a56 [diff] [blame]
Implementation of new policy, that will specify the domains of user accounts allowed to log in to GAIA from a managed device.

Policy name is AllowedDomainsForApps. It is defined as a string, comma separated list of domains that are allowed.
When empty or not set, all the accounts are allowed to be used.

When policy is present, browser includes additional header with name X-GoogApps-Allowed-Domains and value from the policy in every request that user does.
If request is directed to GAIA service, it will be checked against the URL to see if the domain is allowed.

This can be tested, setting the policy manually on local machine (for example on linux a file /etc/chromium/policies/managed/allowedDomainsPolicy.json
with contents { "AllowedDomainsForApps": "google.com" }, running the chromium browser and trying to login in gmail with some gmail account.

The page received will say that the admin doesn't allow to use that account on this machine.

BUG=470521

Review-Url: https://codereview.chromium.org/1659623004
Cr-Commit-Position: refs/heads/master@{#396436}

diff --git a/chrome/browser/net/chrome_network_delegate.cc b/chrome/browser/net/chrome_network_delegate.cc
index c333cf056..76cdfb9 100644
--- a/chrome/browser/net/chrome_network_delegate.cc
+++ b/chrome/browser/net/chrome_network_delegate.cc

@@ -293,6 +293,7 @@
       enable_do_not_track_(NULL),
       force_google_safe_search_(NULL),
       force_youtube_safety_mode_(NULL),
+      allowed_domains_for_apps_(nullptr),
       url_blacklist_manager_(NULL),
       domain_reliability_monitor_(NULL),
       data_use_measurement_(metrics_data_use_forwarder),
@@ -342,6 +343,7 @@
     BooleanPrefMember* enable_do_not_track,
     BooleanPrefMember* force_google_safe_search,
     BooleanPrefMember* force_youtube_safety_mode,
+    StringPrefMember* allowed_domains_for_apps,
     PrefService* pref_service) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   enable_referrers->Init(prefs::kEnableReferrers, pref_service);
@@ -363,6 +365,11 @@
     force_youtube_safety_mode->MoveToThread(
         BrowserThread::GetMessageLoopProxyForThread(BrowserThread::IO));
   }
+  if (allowed_domains_for_apps) {
+    allowed_domains_for_apps->Init(prefs::kAllowedDomainsForApps, pref_service);
+    allowed_domains_for_apps->MoveToThread(
+        BrowserThread::GetMessageLoopProxyForThread(BrowserThread::IO));
+  }
 }
 
 // static
@@ -441,6 +448,14 @@
       FROM_HERE_WITH_EXPLICIT_FUNCTION(
           "456327 URLRequest::ChromeNetworkDelegate::OnBeforeURLRequest 5"));
 
+  if (allowed_domains_for_apps_ &&
+      !allowed_domains_for_apps_->GetValue().empty() &&
+      request->url().DomainIs("google.com")) {
+    request->SetExtraRequestHeaderByName("X-GoogApps-Allowed-Domains",
+                                         allowed_domains_for_apps_->GetValue(),
+                                         true);
+  }
+
   if (connect_interceptor_)
     connect_interceptor_->WitnessURLRequest(request);